Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Data Exposed in OXO, Amazon and MongoDB Leaks

Dual data exposures and a wide-scale data leak due to a vulnerable MongoDB database have kicked off 2019 so far.

2019 has so far been making good on security experts’ predictions that there will be no ebb in data exposures for the new year: In the first half of January, several data breaches and leaks have already come to light, including three notable incidents at well-known firms in just the past week.

Over the course of the last few days, OXO and Amazon India disclosed that customers’ personal data had been compromised in separate incidents. Also making headlines last week was a massive data leak stemming from a vulnerable MongoDB that left millions of resumes open for the taking on the internet.

“Breaches at large entities, such as Amazon, are inevitable given the complexity of their technology and the size of their proprietary development, where a single bug can result in sizable data loss,” said Raj Bakhru, partner at ACA Aponix, in an email. “It’s likely we’ll continue to see this with large-cap companies across sectors, and that there are on-going breaches at many of these entities.”

Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery.

OXO Breach

OXO, the modern kitchen tool and housewares firm, said in an advisory sent to customers that it had discovered a breach that impacted data entered on its e-commerce website during certain times in 2017 and 2018.

Specifically, compromised data had been entered during these timeframes: June 9 2017 to November 28 2017, June 8 2018 to June 9 2018, and July 20 2018 to October 16 2018. The breach was first discovered Dec. 17.

The NYC-based manufacturing firm said that the compromise may have allowed access to names, billing and shipping addresses, and credit-card information.

OXO did not reveal the cause of the breach other than to say that unauthorized code was discovered on its website: “OXO has investigated the nature of the malicious code, removed the unauthorized code, conducted systems scans and reissued access credentials,” it said.

Robert Capps, vice president and authentication strategist for NuData Security, said the breach appears to be a Magecart-like attack.

The Magecart threat group, known for using digital skimmers to steal payment data from unsuspecting website visitors, which has been behind several large-scale breaches, including those of Ticketmaster and British Airways.

“The loss of credit-card data is a worry for all organizations, not just the targeted company,” Capps said in an email. “The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.”

Amazon India

Amazon India also suffered a data exposure this week, which revealed the tax data of about 400,000 sellers on Amazon. According to the India Economic Times, the breach came from an internal technical glitch, and ended up exposing the tax reports of sellers.

The issue was discovered last Sunday, and has since been fixed.

When reached for comment, Amazon did not give additional details about the breach’s root cause, but an Amazon spokesperson told Threatpost: “On Sunday, some sellers who attempted to download Merchant Tax Reports (MTRs) for the month of December 2018 experienced a technical issue. Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct MTR reports.”

This is not Amazon’s only recent breach. In November, the company notified customers that their email addresses were inadvertently exposed due to an API issue. Details still remain scant about how many are impacted by that incident, but Amazon says its servers were not breached and it didn’t give away any other personal info.

MongoDB Leak

Meanwhile, a Thursday report disclosed a data leak stemming from an unprotected MongoDB that exposed millions of job-seekers’ resumes.

The leak, discovered by Bob Dianchenko, director of Cyber Research at Hacken.io, was due to a 854 GB-sized MongoDB database that lacked password or login authentication. The database contains the details of more than 200 million details resumes for Chinese job-seekers.

The unprotected data was open and available for about a week, according to the report.

“Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience ,but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more,” said the report.

The database, the owner of which Dianchenko was unable to discover, has since been secured – but that doesn’t stop concerns of what could happen if a bad actor got his hands on the data.

“No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at risk at any given time,” Jonathan Deveaux head of enterprise data protection for Comforte said in an email. “More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimize exposures of all sizes.”

Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.